Data Security Decoded

Episode: Data Weaponization: How Cyber Attacks Impact the Vulnerable

Date: April 8, 2025
Host: Caleb Tolan (Rubrik Zero Labs)
Guest: Pavlina Pavlova (Cybersecurity Expert, Cyberpeace Institute, UN Advisor)

Overview of Main Theme

This episode explores the weaponization of data—how data is increasingly used to manipulate, coerce, and harm individuals and institutions. Pavlina Pavlova, an internationally recognized cybersecurity advisor, discusses how such attacks especially impact vulnerable populations and critical infrastructure sectors such as healthcare, transportation, and education. The conversation emphasizes not just financial motivations but the disproportionate and immediate human consequences of cyberattacks, gender-specific impacts, and the challenges in both policy and frontline defense, particularly for under-resourced organizations.

Key Discussion Points & Insights

1. Defining Data Weaponization, Motives, and Gendered Consequences

Broad Concept: Data weaponization isn't limited to sophisticated criminal hacks—it includes manipulation, deception, coercion, and all manners of harm, whether through breaches, unauthorized/authorized access, or social engineering.
- "Data weaponization, to me means the act of using data to manipulate, deceive, coerce, or attack someone, or otherwise inflict harm on them." — Pavlina Pavlova [01:29]
Gendered Impacts: Attack consequences differ by gender and other vulnerabilities. Gendered harms manifest because similar attacks produce different consequences for women, men, and gender/sexual minorities.
- Example: Non-consensual sharing of intimate images and deep fakes disproportionately harms women. [01:29–03:28]
- "Just because it happens to a woman, it doesn't make it gendered. But if a woman and a man with a similar attack have different consequences, that makes the consequence gendered." — Pavlina Pavlova [02:25]
Role of Policy: The new UN Cybercrime Convention increasingly recognizes issues like non-consensual data sharing and advanced forms of data weaponization (deep fakes, etc.).

2. Data Weaponization in Critical Infrastructure

Healthcare Example: Ransomware attacks on hospitals and clinics disrupt urgent and essential services, with immediate impact.
- Impacts include canceled appointments and surgeries, diverted ambulances, delayed or incorrect treatment.
- "During cyber attacks, nurses and doctors were giving wrong medication, or almost on the verge... because they lost access to data." — Pavlina Pavlova [04:00]
Disproportionate Impact on Women: As primary caregivers and users of sexual/reproductive health services, women are more severely affected; stigma around health data (e.g., abortion or reproductive data) compounds harm.
- "When we speak about how national security is connected to the fact that cyber criminal gangs are publishing abortion data... in a hybrid conflict they do, because ... you have more and more means to use against the populations to undermine them." — Pavlina Pavlova [12:30]

3. Attack Evolution: Not More Sophisticated, But More Vicious

Tactics: Most breaches leverage simple techniques—phishing, poor password practices, lack of multi-factor authentication—rather than technical innovation.
Extortion Escalation: "Double and triple extortion" tactics (threatening to leak or publish data) are increasing.
- "Organizations are betting in having backups... so the cyber criminals also develop their tactics with having double and triple extortion in place." — Pavlina Pavlova [06:07]
Political Dimensions: Attackers flourish in “sanctioned jurisdictions” that tolerate cybercriminals, sometimes aligning with nation-state interests.

4. Other Critical Sectors: Transportation, Education, Energy

Parallels and Differences: Attacks on education (student records), transport (essential reliance by caretakers and women), and energy (broad social disruption) follow similar logic: disrupt society and induce fear.
- "With these attacks... the threatening for publishing those data is a very common practice... even if they are not published, the perception of threat and of risk increases." — Pavlina Pavlova [09:54]

5. Current Policy Gaps & the Gender Dimension

Lack of Acknowledgement and Understanding: Systems and policies still fail to recognize the specific, often gendered, harms from cyber attacks.
- "One gap that I see persistently... is understanding and acknowledging the impacts." — Pavlina Pavlova [11:39]
Hybrid Conflict Threats: The distinction between peace and war blurs—cyber attacks are persistent regardless of traditional conflict status.
International Initiatives: Encouraging moves toward privacy and security by design; new multinational coalitions (like the International Counter Ransomware Initiative) provide hope for greater accountability and cooperation.

6. Practical Steps for Under-Resourced Organizations

Data Minimization: Limit the collection of sensitive data to absolute necessities.
- "The collection of any data that you process must be responsible and must be minimized to what you really need to deliver the service." — Pavlina Pavlova [16:41]
Use of Available Resources: Many free resources, cybersecurity volunteer organizations, and toolkits are available (shout outs to specific initiatives and organizations).
Funding Structures Must Change: Donors/grantmakers must allow segments of funding to be used directly for cybersecurity measures.
- "Once they attract any funding, the funding is very rarely marked for cybersecurity protection... that's something also [that] needs to change." — Pavlina Pavlova [18:05]
Wider Preparation: All organizations, regardless of size, need to expect and prepare for attacks ("not a question of if, but when").
Mindset Shift: Both large public agencies and small NGOs are often underprepared and need to make cybersecurity a mainstream part of their mission.

Notable Quotes & Memorable Moments

On the Nature of Attacks:
"Attacks aren't getting more sophisticated, they're getting more vicious."
— Caleb Tolan [03:28]
On Societal Exposure:
"We live in a glass house and people are about to start throwing rocks."
— Pavlina Pavlova [12:08]
On Policy Priorities:
"If there is a war ... it will be a hybrid conflict. ... Many of our adversaries have demonstrated that they are both willing and able to disrupt critical infrastructure."
— Pavlina Pavlova [12:37]
On the Role of Donors and Funding:
"You give a grant to an organization to deliver services; you don't earmark it for also protecting those services ... that's something [that] needs to change."
— Pavlina Pavlova [18:05]

Timestamps for Important Segments

Definition of Data Weaponization & Gendered Harm: [01:29–03:28]
Healthcare & Critical Infrastructure Attacks: [04:00–08:31]
Comparison across sectors (transportation, education): [08:31–10:46]
Policy & Global/Regional Cooperation Needs: [11:39–15:05]
Actionable Advice for Under-Resourced Orgs: [16:33–18:57]
Closing & Recap: [20:08–20:56]

Takeaways

Cyberattacks are evolving beyond financial gain to disrupt societal resilience—with real, immediate harm to vulnerable groups.
Healthcare is a critical and glaringly vulnerable target; data breaches here have life-altering, gendered consequences.
Current responses and policy frameworks lack nuance in addressing the societal and gendered impacts of modern attacks.
Under-resourced organizations must focus on data minimization, leveraging free resources, and advocate for donor flexibility in cybersecurity funding.
Achieving global resilience requires broad collaboration—between nations and with the private sector—plus an honest public reckoning with our exposure to hybrid cyber threats.

Data Security Decoded

Episode: Data Weaponization: How Cyber Attacks Impact the Vulnerable

Date: April 8, 2025
Host: Caleb Tolan (Rubrik Zero Labs)
Guest: Pavlina Pavlova (Cybersecurity Expert, Cyberpeace Institute, UN Advisor)

Overview of Main Theme

Key Discussion Points & Insights

1. Defining Data Weaponization, Motives, and Gendered Consequences

Broad Concept: Data weaponization isn't limited to sophisticated criminal hacks—it includes manipulation, deception, coercion, and all manners of harm, whether through breaches, unauthorized/authorized access, or social engineering.
- "Data weaponization, to me means the act of using data to manipulate, deceive, coerce, or attack someone, or otherwise inflict harm on them." — Pavlina Pavlova [01:29]
Gendered Impacts: Attack consequences differ by gender and other vulnerabilities. Gendered harms manifest because similar attacks produce different consequences for women, men, and gender/sexual minorities.
- Example: Non-consensual sharing of intimate images and deep fakes disproportionately harms women. [01:29–03:28]
- "Just because it happens to a woman, it doesn't make it gendered. But if a woman and a man with a similar attack have different consequences, that makes the consequence gendered." — Pavlina Pavlova [02:25]
Role of Policy: The new UN Cybercrime Convention increasingly recognizes issues like non-consensual data sharing and advanced forms of data weaponization (deep fakes, etc.).

2. Data Weaponization in Critical Infrastructure

Healthcare Example: Ransomware attacks on hospitals and clinics disrupt urgent and essential services, with immediate impact.
- Impacts include canceled appointments and surgeries, diverted ambulances, delayed or incorrect treatment.
- "During cyber attacks, nurses and doctors were giving wrong medication, or almost on the verge... because they lost access to data." — Pavlina Pavlova [04:00]
Disproportionate Impact on Women: As primary caregivers and users of sexual/reproductive health services, women are more severely affected; stigma around health data (e.g., abortion or reproductive data) compounds harm.
- "When we speak about how national security is connected to the fact that cyber criminal gangs are publishing abortion data... in a hybrid conflict they do, because ... you have more and more means to use against the populations to undermine them." — Pavlina Pavlova [12:30]

3. Attack Evolution: Not More Sophisticated, But More Vicious

Tactics: Most breaches leverage simple techniques—phishing, poor password practices, lack of multi-factor authentication—rather than technical innovation.
Extortion Escalation: "Double and triple extortion" tactics (threatening to leak or publish data) are increasing.
- "Organizations are betting in having backups... so the cyber criminals also develop their tactics with having double and triple extortion in place." — Pavlina Pavlova [06:07]
Political Dimensions: Attackers flourish in “sanctioned jurisdictions” that tolerate cybercriminals, sometimes aligning with nation-state interests.

4. Other Critical Sectors: Transportation, Education, Energy

Parallels and Differences: Attacks on education (student records), transport (essential reliance by caretakers and women), and energy (broad social disruption) follow similar logic: disrupt society and induce fear.
- "With these attacks... the threatening for publishing those data is a very common practice... even if they are not published, the perception of threat and of risk increases." — Pavlina Pavlova [09:54]

5. Current Policy Gaps & the Gender Dimension

Lack of Acknowledgement and Understanding: Systems and policies still fail to recognize the specific, often gendered, harms from cyber attacks.
- "One gap that I see persistently... is understanding and acknowledging the impacts." — Pavlina Pavlova [11:39]
Hybrid Conflict Threats: The distinction between peace and war blurs—cyber attacks are persistent regardless of traditional conflict status.
International Initiatives: Encouraging moves toward privacy and security by design; new multinational coalitions (like the International Counter Ransomware Initiative) provide hope for greater accountability and cooperation.

6. Practical Steps for Under-Resourced Organizations

Data Minimization: Limit the collection of sensitive data to absolute necessities.
- "The collection of any data that you process must be responsible and must be minimized to what you really need to deliver the service." — Pavlina Pavlova [16:41]
Use of Available Resources: Many free resources, cybersecurity volunteer organizations, and toolkits are available (shout outs to specific initiatives and organizations).
Funding Structures Must Change: Donors/grantmakers must allow segments of funding to be used directly for cybersecurity measures.
- "Once they attract any funding, the funding is very rarely marked for cybersecurity protection... that's something also [that] needs to change." — Pavlina Pavlova [18:05]
Wider Preparation: All organizations, regardless of size, need to expect and prepare for attacks ("not a question of if, but when").
Mindset Shift: Both large public agencies and small NGOs are often underprepared and need to make cybersecurity a mainstream part of their mission.

Notable Quotes & Memorable Moments

On the Nature of Attacks:
"Attacks aren't getting more sophisticated, they're getting more vicious."
— Caleb Tolan [03:28]
On Societal Exposure:
"We live in a glass house and people are about to start throwing rocks."
— Pavlina Pavlova [12:08]
On Policy Priorities:
"If there is a war ... it will be a hybrid conflict. ... Many of our adversaries have demonstrated that they are both willing and able to disrupt critical infrastructure."
— Pavlina Pavlova [12:37]
On the Role of Donors and Funding:
"You give a grant to an organization to deliver services; you don't earmark it for also protecting those services ... that's something [that] needs to change."
— Pavlina Pavlova [18:05]

Timestamps for Important Segments

Definition of Data Weaponization & Gendered Harm: [01:29–03:28]
Healthcare & Critical Infrastructure Attacks: [04:00–08:31]
Comparison across sectors (transportation, education): [08:31–10:46]
Policy & Global/Regional Cooperation Needs: [11:39–15:05]
Actionable Advice for Under-Resourced Orgs: [16:33–18:57]
Closing & Recap: [20:08–20:56]

Takeaways

Cyberattacks are evolving beyond financial gain to disrupt societal resilience—with real, immediate harm to vulnerable groups.
Healthcare is a critical and glaringly vulnerable target; data breaches here have life-altering, gendered consequences.
Current responses and policy frameworks lack nuance in addressing the societal and gendered impacts of modern attacks.
Under-resourced organizations must focus on data minimization, leveraging free resources, and advocate for donor flexibility in cybersecurity funding.
Achieving global resilience requires broad collaboration—between nations and with the private sector—plus an honest public reckoning with our exposure to hybrid cyber threats.

wavePod

Data Weaponization: How Cyber Attacks Impact the Vulnerable

Powered by Wave AI

Summary

Data Security Decoded

Episode: Data Weaponization: How Cyber Attacks Impact the Vulnerable

Overview of Main Theme

Key Discussion Points & Insights

1. Defining Data Weaponization, Motives, and Gendered Consequences

2. Data Weaponization in Critical Infrastructure

3. Attack Evolution: Not More Sophisticated, But More Vicious

4. Other Critical Sectors: Transportation, Education, Energy

5. Current Policy Gaps & the Gender Dimension

6. Practical Steps for Under-Resourced Organizations

Notable Quotes & Memorable Moments

Timestamps for Important Segments

Takeaways

Summary

Data Security Decoded

Episode: Data Weaponization: How Cyber Attacks Impact the Vulnerable

Overview of Main Theme

Key Discussion Points & Insights

1. Defining Data Weaponization, Motives, and Gendered Consequences

2. Data Weaponization in Critical Infrastructure

3. Attack Evolution: Not More Sophisticated, But More Vicious

4. Other Critical Sectors: Transportation, Education, Energy

5. Current Policy Gaps & the Gender Dimension

6. Practical Steps for Under-Resourced Organizations

Notable Quotes & Memorable Moments

Timestamps for Important Segments

Takeaways